Tuesday, April 12, 2016

Badlock: it's here, now what?

Badlock: it's here (mostly) hype.  It's April 12th.  We've known for almost three weeks this was the day... Time for badlock.  Since the initial disclosure, many in the security industry have written about Badlock.  I have two blog posts about it here and here.  I try not to contribute to the hype and was careful to speculate that it might be just that.  

So was it all hype?
Meh.  There definitely was a bug, but it honestly isn't that bad.  And it isn't catastrophic.  Microsoft only rates it as Important rather than Critical.  It was pretty underwhelming to be honest.  It's not RCE, so we won't see a Badlock worm.  An attacker would have to already be in the network to abuse it and even then, it looks like it's only MITM.

What should I do (besides patch)?
1.  Disable SMBv1.  It's a relic and doesn't need to be a thing anymore.  If you still have it in your network and need it, determine what architectural changes are needed.

2.  Enable SMB signing and enforce it for all machines where it makes sense.  Microsoft has been recommending this to prevent SMB relay attacks for years.  You can read all about it here.

3. Enable port security on your network switches - this makes ARP spoofing nearly impossible.  Helpdesk hates it, but it does improve your security in a measurable way.

4. MITM is easier on wireless in the corporate environment than it is on the wired network.  Make sure the attacker can't get on your wireless network in the first place to ensure maximum security.  WPA2 Enterprise goes a long way here.

5. Go read my earlier post and do this stuff.  It will help your network security dramatically.

Shameless plug
As always, if you need help securing your network against this or any other threat, contact us at Rendition Infosec and we'll be happy to help you.  We're also happy to help you separate the hype from the horror.


Note: Only a member of this blog may post a comment.